diff options
author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-02-02 15:26:55 +0000 |
---|---|---|
committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-02-02 15:26:55 +0000 |
commit | a6b64c00c491c5e563e90bda35b2e4ccc02edb94 (patch) | |
tree | 8dc04a4d85f1bd7f7322a5abccdfd3354b67ad44 /xen/xsm/flask/hooks.c | |
parent | 21149fb130a38cb7625191f79917f2190f6cccec (diff) | |
download | xen-a6b64c00c491c5e563e90bda35b2e4ccc02edb94.tar.gz xen-a6b64c00c491c5e563e90bda35b2e4ccc02edb94.tar.bz2 xen-a6b64c00c491c5e563e90bda35b2e4ccc02edb94.zip |
xsm/flask: Improve domain ID auditing in AVCs
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'xen/xsm/flask/hooks.c')
-rw-r--r-- | xen/xsm/flask/hooks.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index ad1013fed2..649c473d88 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -37,11 +37,15 @@ static int domain_has_perm(struct domain *dom1, struct domain *dom2, u16 class, u32 perms) { struct domain_security_struct *dsec1, *dsec2; + struct avc_audit_data ad; + AVC_AUDIT_DATA_INIT(&ad, NONE); + ad.sdom = dom1; + ad.tdom = dom2; dsec1 = dom1->ssid; dsec2 = dom2->ssid; - return avc_has_perm(dsec1->sid, dsec2->sid, class, perms, NULL); + return avc_has_perm(dsec1->sid, dsec2->sid, class, perms, &ad); } static int domain_has_evtchn(struct domain *d, struct evtchn *chn, u32 perms) @@ -1323,6 +1327,7 @@ static int flask_mmu_normal_update(struct domain *d, struct domain *t, unsigned long fmfn; struct domain_security_struct *dsec; u32 fsid; + struct avc_audit_data ad; if (d != t) rc = domain_has_perm(d, t, SECCLASS_MMU, MMU__REMOTE_REMAP); @@ -1337,13 +1342,22 @@ static int flask_mmu_normal_update(struct domain *d, struct domain *t, if ( l1e_get_flags(l1e_from_intpte(fpte)) & _PAGE_RW ) map_perms |= MMU__MAP_WRITE; + AVC_AUDIT_DATA_INIT(&ad, RANGE); fmfn = get_gfn_untyped(f, l1e_get_pfn(l1e_from_intpte(fpte))); + ad.sdom = d; + ad.tdom = f; + ad.range.start = fpte; + ad.range.end = fmfn; + rc = get_mfn_sid(fmfn, &fsid); + + put_gfn(f, fmfn); + if ( rc ) return rc; - return avc_has_perm(dsec->sid, fsid, SECCLASS_MMU, map_perms, NULL); + return avc_has_perm(dsec->sid, fsid, SECCLASS_MMU, map_perms, &ad); } static int flask_mmu_machphys_update(struct domain *d, unsigned long mfn) |